Four Years Later, FTC Continues to Challenge Misleading Marketing and Privacy Practices

As we discussed in a 2014 Ice Miller publication, the Federal Trade Commission (FTC) can take action to hold your company accountable for promises made in privacy notices. Last month, Venmo learned the hard way that the FTC remains committed to that goal.

On May 24, 2018, the FTC unanimously approved a settlement with PayPal, Inc. after PayPal’s peer-to-peer payment service app, Venmo, allegedly deceived users about its privacy practices, security controls, and fund transfer policies.[1] Accessible on smart devices and free of charge, Venmo is a convenient and cheap service to pay rent or split the check.[2] But in light of the FTC’s investigation, your company should closely re-examine its privacy statements and security procedures.

The FTC targets misleading marketing statements and privacy settings.

According to the complaint, Venmo notified users when funds were available for transfer to an external bank account, but failed to tell users the funds could be frozen or removed subject to the app’s review of the transaction for fraud or other suspicious activity.[3] The FTC found Venmo’s review process particularly troubling, because the app marketed overnight transfers or transfers “in as little as one business day,” even though they were fully aware of mounting consumer complaints about delayed or declined transfers.[4]

Venmo’s privacy settings also allegedly misled users. The app allows users to share their purchases publicly on the app’s social news feed, but also permits users to limit their “default audience” privacy setting. The FTC stated the setting made users believe that limiting the default audience setting to “Participants Only” would keep transactions private regardless of whether the participant sent or received payment. Instead, the consumer also has to change a second setting below the default audience option, as depicted below and in the Complaint, and must select “Only Me” under the second privacy setting.[5] Allegedly, Venmo did not adequately disclose this procedure to consumers and misrepresented what steps were necessary to keep transactions private.

Marketing a product well sometimes requires risk-taking and boundary-pushing. But crossing the line between clever and deceptive carries dangerous consequences for your business. Financial damages to users resulting from marketing statements that may be viewed as deceptive provide tangible evidence of harm. Similarly, unclear or difficult privacy procedures may confuse consumers and draw the ire of the FTC.

Information security practices must be accurately represented.

According to the Complaint, Venmo also made untruthful public statements on its website and app about its information security principles. For example, the app stated Venmo “uses bank-grade security systems and data encryption to protect your financial information” and prevents unauthorized transactions or access to personal information, which allegedly turned out to be inaccurate.[6] According to the Complaint, until March 2015, Venmo lacked sufficient security practices to protect user confidentiality and even failed to notify customers when their email addresses/passwords were changed and new devices were added to the account. Both scenarios allegedly led to successful hacks of user accounts.[7]

Financial institutions’ privacy practices must comply with the Gramm-Leach-Bliley Act.

The Gramm-Leach-Bliley Act (“GLBA”)[8] is a federal law that requires “financial institutions” to provide accurate, clear, and conspicuous notice of its privacy practices (The Privacy Rule)[9] and establish safeguards that keep customers’ personal information safe and confidential (The Safeguards Rule).[10] Because Venmo is a financial institution, it must comply with the GLBA. In a previous Ice Miller publication, we provided more detail on who must comply with the GLBA and how your company can avoid FTC penalties for non-compliance.

Under the Privacy Rule, Venmo must provide users with a clear and conspicuous initial privacy notice that accurately reflects the app’s privacy practices, and the notice must be provided so users can reasonably be expected to receive notice. The FTC found the app’s privacy policy, hyperlinked in grey text on a grey background in much smaller font than the rest of the app’s text, was unclear to the reasonable user.[11] Furthermore, the FTC concluded that the privacy statement failed the second and third Privacy Rule requirements, because it is inaccurate and does not require receipt by the user before acceptance of the service. Yes, Venmo provides a link for customers to visit the privacy policy, but they can create a Venmo account without receiving it.[12]

The FTC also alleged that Venmo violated the Safeguards Rule, which requires companies to assess and address the risks to customer information in all areas of their operation. The Rule requires companies to develop a written information security plan that describes their programs to protect customer information. The plan must be appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. Through August 2014, the app had no written security program; until September 2014, the app failed to address reasonably foreseeable internal and external security concerns; and until March 2015, the app failed to implement basic safeguards—such as security notifications and customer support—for user information.[13]

IV. Key takeaways

Generally, privacy policies should be accessible and digestible for the user, and security guarantees should be accurate and effective. When selling a home, you’d prefer to not say anything about the water damage in the basement, but an appraiser might sue you if you don’t. Similarly, you don’t want privacy policies or security notification procedures to be the first things a potential customer sees or questions, but hiding these policies or exaggerating your security practices, in violation of the GLBA, might leave you reporting biennially to the FTC for the next 10 years.[14]

Notification can sometimes be the most helpful feature of your security practices. Preventative measures should maintain data integrity as much as possible, but breaches and unauthorized access are inevitable. Quickly communicating with your user can help reduce the damage, however, and might even reveal an error by the user and not a compromised account. If you fail to implement either or both safeguards—preventative measures and notification processes—you’re setting yourself up for a privacy headache. Not only might you cause harm and frustration to the user, you risk non-compliance with the FTC and federal laws like the Gramm-Leach-Bliley Act.

Summer clerk Mason Clark was the lead author for this article. For guidance on data protection and privacy compliance, please contact Stephen Reynolds or Martha Kohlstrand. Stephen Reynolds, a former computer programmer and IT analyst, is a partner in Ice Miller’s Litigation Group and co-chair of Ice Miller’s Data Security and Privacy Practice. Martha Kohlstrand is an associate in Ice Miller’s Litigation Group and focuses much of her work on data protection and privacy issues.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.